Every day, developers have the daunting task of tracing vulnerabilities back in a morass of commits. In this article, we report the experience of the industrial open source tool, Prospector, to support developers in this task.D etailed code-level vulnerability data are essential to fuel software composition analysis (SCA) tools that are used to detect known vulnerabilities in open source software (OSS) dependencies. However, such data are scarce; advisories rarely contain information about the code changes that fix the flaws they describe. Finding such code changes (for example, in source code repositories such as Git) manually is time consuming and error prone as it involves the analysis of multiple unstructured resources.